Tuesday, April 5, 2011

ukansnami.com

Time to move on to the name server ukansnami.com that I talked about in blog post #1. Again, according to Emerging Threats RBN IP list, we are dealing with the infamous Russian Business Network (RBN). Now, a quick google on ukansnami.com does show some illegal activity, so lets get down to business and see if this domain/name server is set up as a legit business entity by a real person or some cyber criminal organization hoping to pedal malware and fraud -
Domain Name: UKANSNAMI.COM
Registrar: PAKNIC (PRIVATE) LIMITED
Whois Server: whois.paknic.com
Referral URL: http://www.paknic.com
Name Server: NS1.UKANSNAMI.COM
Name Server: NS2.UKANSNAMI.COM
Name Server: NS3.UKANSNAMI.COM
Status: ok
Updated Date: 27-jan-2011
Creation Date: 27-jan-2011
Expiration Date: 27-jan-2012
Registrant [PAK11012722053-1]:
NA
Sergej Chashin        glide@yourisp.ru
ul.Gogolya d.15 kv.1
Tyukalinsk, Omskaya oblast 646330
RU
Phone: 7.381228450 Ext: 
Fax: 1.
Source: centralops.net
From the last few blog posts, we've seen some results searching registrant phone numbers, however googling Chashin's phone number gives us nothing. Let's google his street address next to see if we can come up with something creative. Our first hit comes from a malware record from malwareurl.com -
Domain name:             SOFTWARESTORE4YOU.COM
Name Server:             ns1.softwarestore4you.com  
                         61.191.191.61
Name Server:             ns2.softwarestore4you.com 
                         121.61.118.101
Creation Date:           2010.04.30
Updated Date:            2010.05.01
Expiration Date:         2011.04.30
Status:                  DELEGATED
Registrant ID:           HIALRYE-RU
Registrant Name:         Sergey A Chashchin
Registrant Organization: Sergey A Chashchin
Registrant Street1:      ul.Gogolya d.15 kv.1
Registrant City:         Tyukalinsk
Registrant State:        Omskaya obl.
Registrant Postal Code:  646330
Registrant Country:      RU
Administrative, Technical Contact
Contact ID:              HIALRYE-RU
Contact Name:            Sergey A Chashchin
Contact Organization:    Sergey A Chashchin
Contact Street1:         ul.Gogolya d.15 kv.1
Contact City:            Tyukalinsk
Contact State:           Omskaya obl.
Contact Postal Code:     646330
Contact Country:         RU
Contact Phone:           +7 3812 284504
Contact E-mail:          semen@freenetbox.ru
Source: here

Notice three things here. One, the address is the same. Two, the name has some slight changes suggesting falsified name. Third, the phone number (+7 3812 284504) is entirely different. So are Sergej Chashin and Sergey A Chashchin one in the same? Yes! Check out this link to the aa419 database. Looks like Sergej and Sergey use the same secondary phone number (+7.3812284504 or +7 3812 284504). Point in case, we can prove the name is falsified at this point on the whois record, but lets see what kind of hits Sergej/Sergey has on his secondary phone number (link to search results here). Our first glaring example of blatant whois obfuscation lies here -
domain:     YOUHELPNOW.RU
nserver:    ns1.hostdnssite.com.
nserver:    ns2.hostdnssite.com.
nserver:    ns3.hostdnssite.com.
nserver:    ns4.hostdnssite.com.
state:      REGISTERED, NOT DELEGATED, VERIFIED
person:     Private Person
phone:      +7 3812 284504
e-mail:     liver@freenetbox.ru
registrar:  NAUNET-REG-RIPN
created:    2010.03.22
paid-till:  2011.03.22
free-date:  2011.04.25
source:     TCI
Source: http://whois.domaintools.com/youhelpnow.ru
Private person? I'm sorry this is not the typical privacy protection, this is someone refusing to give their name in whois registrant details. Privacy protection hides your phone number and your emails address. The same was done here and here with phishing sites using Sergej/Sergey's secondary number. I wonder how this got past any registrar, but then again nothing should be shocking by now when it comes to cyber criminal activity.

So I think it's safe to assume the whois registrant information for ukansnami.com is just as falsified as the rest of Sergej/Sergey's work. This includes his street address as google maps seems to have trouble even finding the street "Gogolya " the whois claims registrant residence on. Let's move on to show how the RBN is using the domain ukansnami.com as a name server with some googling -

Fraud:
http://ddanchev.blogspot.com/2011/03/keeping-money-mule-recruiters-on-short.html
http://scamfraudalert.wordpress.com/2011/02/21/lilac-llc-company/

Malware:
http://support.clean-mx.de/clean-mx/viruses.php?domain=westview-art.net&submit=query
link here (too long)

Basically it's being used for money mule recruitment and to infect them so the RBN can steal their identity and financial information. Congrats on checking the registrant details for this one PAKNIC (PRIVATE) LIMITED. You just supplied the RBN with a name server and in turn they gave you falsified whois information.
Posted by Fully Automatic at 11:43 PM
Labels: , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)